Collective Intelligence : Incident Response ToolKit

Todays world is full of So called Hackers and then impacts of their so called Crackers which sometimes fire in Rush and result into Wiping out Millions of Data in a matter of a brush. World has seen what Ransomware Outbreak whether it stayed only for one day like Wannacry on 12th May 17 or NotPetya Ourbreak on 27th June 17, the outcome was a Dangerous. Lots of corporate devices corrupted caused Companies to pour out millions to build the same infrastructure.

Maersk Posts Surprise Loss, Warns of Cyberattack Impact : Maersk warned that the cyberattack, which hit companies across the world in the last week of the quarter, would cost it between $200 million and $300 million. The company will register the hit in the third quarter, with the impact on second-quarter results minimal.

So during any outbreak Incident Management and Handling plays a key role to Analyze, Minimize and Nullfy the impact which can save Millions of Loss to the organisations during critical time. We will try to correlate and gather collective intelligence for certain incident response toolsets in this section.

According to Wikipedia, Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence.

An incident is an event that could lead to loss of, or disruption to, an organization’s operations, services or functions.

If not managed an incident can escalate into an emergency, crisis or a disaster.

Incident management is therefore the process of limiting the potential disruption caused by such an event, followed by a return to business as usual.

An incident response team or emergency response team (ERT) is a group of people who prepare for and respond to any emergency incident, such as a natural disaster or an interruption of business operations.

Incident response teams are common in public service organizations as well as in Corporate organizations.

Incident Response Toolkit Collective Intelligence

GRR Rapid Response: One of the Google’s innovation, It is an incident response framework focused on remote live forensics. GRR is a python agent (client) that is installed on target systems, and python server infrastructure that can manage and talk to the agent.

Analyze and view imported audit data, including the ability to filter results around a given timeframe using Redline’s Timeline functionality with the TimeWrinkle™ and TimeCrunch™ features.

Streamline memory analysis with a proven workflow for analyzing malware based on relative priority.

Perform Indicators of Compromise (IOC) analysis. Supplied with a set of IOCs, the Redline Portable Agent is automatically configured to gather the data required to perform the IOC analysis and an IOC hit result review

MIG: Mozilla InvestiGator : MIG is Mozilla’s platform for investigative surgery of remote endpoints.MIG is composed of agents installed on all systems of an infrastructure that are be queried in real-time to investigate the file-systems, network state, memory or configuration of endpoints.

Use Case : Imagine it is 7am on a saturday morning, and someone just released a critical vulnerability for your favorite PHP application.

The vuln is already exploited and security groups are releasing indicators of compromise (IOCs).

With MIG ,the signature of the vulnerable PHP app (the md5 of a file, a regex, or just a filename) can be searched for across all your systems using the file module. Similarly, IOCs such as specific log entries, backdoor files with md5 and sha1/2/3 hashes, IP addresses from botnets or byte strings in processes memories can be investigated using MIG. Suddenly, your weekend is looking a lot better. And with just a few commands, thousands of systems will be remotely investigated to verify that you’re not at risk.